[arch-commits] Commit in perl/trunk (PKGBUILD digest_eval_hole.diff)
Florian Pritz
bluewind at archlinux.org
Wed Jan 18 17:05:16 UTC 2012
Date: Wednesday, January 18, 2012 @ 12:05:15
Author: bluewind
Revision: 146805
upgpkg: perl 5.14.2-7
fix eval hole in Digest
Added:
perl/trunk/digest_eval_hole.diff
Modified:
perl/trunk/PKGBUILD
-----------------------+
PKGBUILD | 6 +++-
digest_eval_hole.diff | 61 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2012-01-18 16:24:18 UTC (rev 146804)
+++ PKGBUILD 2012-01-18 17:05:15 UTC (rev 146805)
@@ -5,7 +5,7 @@
# Contributor: francois <francois.archlinux.org>
pkgname=perl
pkgver=5.14.2
-pkgrel=6
+pkgrel=7
pkgdesc="A highly capable, feature-rich programming language"
arch=(i686 x86_64)
license=('GPL' 'PerlArtistic')
@@ -17,6 +17,7 @@
perlbin.sh
perlbin.csh
provides.pl
+digest_eval_hole.diff
0001-Append-CFLAGS-and-LDFLAGS-to-their-Config.pm-counter.patch)
install=perl.install
options=('makeflags' '!purge')
@@ -24,6 +25,7 @@
'5ed2542fdb9a60682f215bd33701e61a'
'1f0cbbee783e8a6d32f01be5118e0d5e'
'31fc0b5bb4935414394c5cfbec2cb8e5'
+ '490852b3d77c3b3866d0d75f5fbf5c5d'
'c25d86206d649046538c3daab7874564')
build() {
@@ -37,6 +39,8 @@
arch_opts=""
fi
+ patch -Np1 -i $srcdir/digest_eval_hole.diff
+
./Configure -des -Dusethreads -Duseshrplib -Doptimize="${CFLAGS}" \
-Dprefix=/usr -Dinstallprefix=${pkgdir}/usr -Dvendorprefix=/usr \
-Dprivlib=/usr/share/perl5/core_perl \
Added: digest_eval_hole.diff
===================================================================
--- digest_eval_hole.diff (rev 0)
+++ digest_eval_hole.diff 2012-01-18 17:05:15 UTC (rev 146805)
@@ -0,0 +1,61 @@
+From 4b6a7324284e7435a361c58f7ddb32fc0c635bd0 Mon Sep 17 00:00:00 2001
+From: "Michael G. Schwern" <schwern at pobox.com>
+Date: Mon, 3 Oct 2011 19:05:29 +0100
+Subject: Close the eval "require $module" security hole in
+ Digest->new($algorithm)
+
+Also the filter was incomplete.
+
+Bug-Debian: http://bugs.debian.org/644108
+
+Patch-Name: fixes/digest_eval_hole.diff
+---
+ cpan/Digest/Digest.pm | 6 ++++--
+ cpan/Digest/t/security.t | 14 ++++++++++++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 cpan/Digest/t/security.t
+
+diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
+index 384dfc8..d714434 100644
+--- a/cpan/Digest/Digest.pm
++++ b/cpan/Digest/Digest.pm
+@@ -24,7 +24,7 @@ sub new
+ shift; # class ignored
+ my $algorithm = shift;
+ my $impl = $MMAP{$algorithm} || do {
+- $algorithm =~ s/\W+//;
++ $algorithm =~ s/\W+//g;
+ "Digest::$algorithm";
+ };
+ $impl = [$impl] unless ref($impl);
+@@ -35,7 +35,9 @@ sub new
+ ($class, @args) = @$class if ref($class);
+ no strict 'refs';
+ unless (exists ${"$class\::"}{"VERSION"}) {
+- eval "require $class";
++ my $pm_file = $class . ".pm";
++ $pm_file =~ s{::}{/}g;
++ eval { require $pm_file };
+ if ($@) {
+ $err ||= $@;
+ next;
+diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t
+new file mode 100644
+index 0000000..5cba122
+--- /dev/null
++++ b/cpan/Digest/t/security.t
+@@ -0,0 +1,14 @@
++#!/usr/bin/env perl
++
++# Digest->new() had an exploitable eval
++
++use strict;
++use warnings;
++
++use Test::More tests => 1;
++
++use Digest;
++
++$LOL::PWNED = 0;
++eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
++is $LOL::PWNED, 0;
More information about the arch-commits
mailing list